fix: various actions workflow security improvements (#17651)

* fix: set persist-credentials explicitly for checkout https://woodruffw.github.io/zizmor/audits/#artipacked * fix: minimize permissions scope for workflows https://woodruffw.github.io/zizmor/audits/#excessive-permissions * fix: remove potential template injections https://woodruffw.github.io/zizmor/audits/#template-injection * fix: only pass needed secrets in workflow_call https://woodruffw.github.io/zizmor/audits/#secrets-inherit * fix: push perm for single-arch build jobs I hadn't realised these push to the registry too :x * chore: fix formatting * fix: $ * fix: retag job quoting --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-18 22:10:27 +02:00
parent 0e6ac87645
commit 504930947d
18 changed files with 269 additions and 63 deletions
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -21,13 +21,14 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-root
  cancel-in-progress: true

+permissions: {}
+
 jobs:
  bump_version:
    runs-on: ubuntu-latest
-
    outputs:
      ref: ${{ steps.push-tag.outputs.commit_long_sha }}
-
+    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
@@ -40,6 +41,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: true

      - name: Install uv
        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
@@ -59,14 +61,20 @@ jobs:
  build_mobile:
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
-    secrets: inherit
+    secrets:
+      KEY_JKS: ${{ secrets.KEY_JKS }}
+      ALIAS: ${{ secrets.ALIAS }}
+      ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
+      ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
    with:
      ref: ${{ needs.bump_version.outputs.ref }}

  prepare_release:
    runs-on: ubuntu-latest
    needs: build_mobile
-
+    permissions:
+      actions: read # To download the app artifact
+      # No content permissions are needed because it uses the app-token
    steps:
      - name: Generate a token
        id: generate-token
@@ -79,6 +87,7 @@ jobs:
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: false

      - name: Download APK
        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
@@ -90,6 +99,7 @@ jobs:
        with:
          draft: true
          tag_name: ${{ env.IMMICH_VERSION }}
+          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
          files: |